An Overview on 802.11 Wireless LAN Security
Wireless technology is an exciting and evolving communication system, but not fully secure. This paper intended to explore the existing threats and vulnerabilities of Wireless LAN with possible solutions and recommendations plus a brief wireless methodology to familiarize with the wireless technology. This research definitely helps the wireless users and administrator regarding the security implementation and maintenance.
Index Terms—Wireless LAN (Local Area Network), Access Point, Eavesdropping, 802.1x, Extensible Authentication Protocol, Temporal Key Integrity Protocol, Association, Rogue Access Point.
Wireless LAN is based on a cellular architecture where the systems are subdivided into cells and controlled by an access point. It uses radio frequency to communicate with each other's through some spread spectrum technologies like Direct Sequence Spread Spectrum, Frequency Hopping Spread Spectrum and Infrared technology.
ü WLAN allows users to access resources without being locked to their desks.
ü Popular due to CONVENIENCE and COST.
It is susceptible to attack as all data sends through the air and anyone can send or receive data through the air. The FCC has defined WLAN to use frequency upon license or license free.
Ø ISM Band: ISM is a license free band, its range are 902MHz, 2.4GHz and 5GHz with vary in width from 26MHz to 150MHz.
Ø UNII Band: UNII holds three unlicensed band of 5GHz of 100MHz wide.
II. WIRELESS STANDARD
The FCC regulates the use of wireless LAN devices by enforcing the laws and IEEE responsible for setting out draft and standards. Wireless LAN standards that are currently being explored in the fields of communications technology are:
1. IEEE 802.11.
Freq. Range (GHz)
Maximum Data Rate(Mbps)
Table-1: Standards Classification
III. TYPES OF WIRELESS LAN
Wireless LANs can be broadly classified into two categories.
Ø Ad hoc Wireless LAN.
Ø Infrastructure Wireless LAN.
In ad hoc mode different nodes join together for peer to peer connection. No centralized management. Infrastructure mode somehow centralized as resources allocation done through an access point.
IV. CONNECTION METHADOLOGY
The process of connecting to a wireless LAN consists of two processes.
The first step in connecting to a wireless LAN is being authenticated by the network and then associated with the access point to use resources or to send data through. There are three states for authentication and association. Unauthenticated & Unassociated, Unauthenticated & Associated and Authenticated & Associated. Depends upon the access point which authenticates and associates.
V. AUTHENTICATION METHODS
The IEEE 802.11 standard specifies two methods of authentication.
Ø Open System Authentication.
Ø Shared Key Authentication.
In open system there is nothing called security client requests for authentication by knowing access point SSID and it passes while in shared key client requests for authentication access point in response sends a clear text which client encrypt with his key and send backs to the access point and access point decrypt it if matches then authorized.
VI. SECURITY ISSUE
Wireless media is vulnerable due to its open nature, as one can easily penetrates the network by simply be in the coverage area of access point only and can be easily monitored through some software and results in eavesdropping , below diagram shows this issue. There are several categories of threats some of them are War Drivers, Hackers, Employees, Rogue Access Point. War Drivers is a way to enters into the network for gaining access to internet free, the hacker uses some free tools to penetrate within the network or uses some highly powered antennas. Hackers on the other side have some serious intentions it may be to steal valuable information or shuts down the whole network as hackers does not pass by the firewalls like in wired one. Employees may be reason for breaches in the security intentionally or unintentionally by negligence or by leaking the company's information to a hacker or outsiders. Rogue Access point captures packets of the wireless LAN including SSID and WEP keys and then set up his access point with same setting and security configuration and get the organization clients to use that one and exchange valuable information easily trapped.
VII. WEAKNESS IN SECURITY
The main breaches in the security in 802.11 is solely use of Wired Equivalent Privacy (WEP), it is an encryption algorithm used by the shared key authentication process for authenticating users and encrypting the data. IEEE defines the uses of WEP. It uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity. It comes in two flavor 64 bits and 128 bits. WEP consists of two parts Initialization Vector (IV) and Secret key but while sending IV goes in a clear text which can be traced and easily intercepted. 802.11 have defined only the basic level of authentication. Hence the proposed security features of wireless LAN which is Confidentiality, Data Integrity and Access Control hardly meets. There are various methods to resolve such issues and discussed later in this paper.
VIII. WLAN SECURITY ATTACKS
A Wireless LAN is very vulnerable to attacks, as any hacker can penetrates to the network by sitting by the proximity of the access point. Hacker can gain access or disable the network through the several ways some them are as follows:
1. Passive Attacks
* Dictionary based attacks.
* Cracking the WEP key.
2. Active Attacks
* Authentication Spoofing.
* Message Injection.
* Message Modification.
* Message Decryption.
3. Jamming Attack.
Passive attacks like eavesdropping is the simplest and most effective type of attack as leave no presence of hacker as hacker does not actually connects to the access point. It can be done through some protocol analyzer tools with close distance to the access point and gather valuable information about the network hence leave no trace. As seen on eavesdropping figure. After gathering information data which called as dictionary attack the wep keys can be cracked using software.
Active attacks are the attacks which required one's presence to the access point for some types of function on the network which can be very dangerous; it can be server which he aimed for the valuable information can interrupt the flow of the organization plus infrastructure. The worst case scenario is when hacker entered to the access point and removes all MAC filters for next time gaining access and anyone could hardly identify that. It includes injection of other traffic, once gain access modifies and can altered the data also can decrypt the data and iterate its header, broadcast it results in flooding.
Jamming attack is a technique that would shut down the whole wireless network, it uses overwhelming RF signals, it can be intentional or intentional and signal may be removable or non removable. The main tool for such kind of attack is high power RF signal generator. It's not kind of famous attack as cost a lot for the antenna and accessories.
Man-In-Middle-Attack is an attack in which a hacker uses his access point to effectively hijack mobile nodes by sending a strong signal then the legitimate access point who sending to nodes. Hence communicates with the rogue access point and sending the important or valuable information to hacker. It uses the access point with much more power than other access point to do such attack
Kismet, NetStumbler, DStubler are some types of hacking tools for penetration into the network.
IX. SUMMARY OF 802.11 VULNERABILITIES
1. Insecure Access point and Client station.
2. SSID broadcast so everyone in proximity can finds,
3. IV size is very small.
4. Key management needs but still no functionality in function.
5. Easily attackable due its weaker nature.
X. wlan security techniques
Wireless LAN is prone to vulnerabilities and threats so to cope with such attacks we need some technique which are as follows:
1. Filtered everything on the network upon SSID, MAC and Protocol so that authorize client only have access. Filtering is a security mechanism that can be used with WEP or AES, allows only what is needed and rejects all which do not wanted by network. SSID (service set identifier) is the name of the wireless name, it broadcast using beacons frames in clear text so easily for anyone to know the SSID filtering can reduce that basically only, MAC filtering also implemented on all wireless clients so that only authorize can access the network. Protocol filtering is based on the filtering the necessary protocols like SMTP,POP3,HTTP,HTTPS,FTP
2. WEP Key Management for generating dynamic per session and per packet key using central key management, as static key are easily cracked. Per session or per packet key assigns a new wep keys to the client and access point for each session or packet sent between two. Dynamic keys add bulk as heavy payloads and reduce throughput but difficult to crack for hackers. So efficiently load and security can be balanced through centralized key server which dynamically generate and assigns keys for every session and per packet accordingly.
3. Wireless VPNs are kind of virtual network which is implemented on access point and client communicates with the use of PPTP and IPSec protocol to form a secure tunnel to access point. Client associate with access point first and then the dial up VPN connection is made in order to send data or to communicate, these data send through the secure channels with encryption, use of PPTP and IPSec protocols enhanced the security rate and increase reliability of the network.
4. Temporal Key Integrity Protocol is an upgrade to WEP as it's not secure, TKIP uses dynamic keys which prevents passive attack and is very secure protocol which implements on access point and clients. Its 128 bit called temporal key is shared among clients and access points. TKIP combines the temporal key with the clients MAC address and then adds a 16 octet's initialization vector to produce encryption keys, hence ensuring that each client has different keys to encrypt the data. TKIP also preventing the snooping attacks.
5. AES Based Solutions is advance encryption standard which is responsible for encryption methods on wireless LANs. It comes in 128, 192 and 256 bits size and considers the safer way of cryptography.
6. Wireless Gateways are devices with VPN enabled with NAT, DHCP, PPPoE, WEP, MAC filters and built in Firewall and are consider safest for small offices and homes and acts intermediately to other switches and extension also support VPN.
7. 802.1x and Extensible Authentication Protocol (EAP) provides the port based network access control results in strong authentication methods, its incorporated in many Wireless LAN and becoming popular among different vendors. Firstly the client association request to the access point, and access point replies with an EAP Identity request client sends EAP response to access point and its sends EAP identification to the authentication server then server reacts accordingly and sends back a authorization request to access point, which forwards to the client and client response by EAP authorization response sends back to access point which ultimately sends to the server, if succeed then server sends back EAP success to access point and access point sends success message to client and places the client port in forward mode.
8. Corporate security policy a good and strong corporate strategy can minimize the vulnerabilities by recognizing the needs for security and delegating the appropriate documentation to include WLAN into top priority. So a company that uses wireless LANs should have a corporate security policy that addresses the unique risk that wireless introduce to the network, an example is of inappropriate cell sizing that leads the hacker to gain the network access through side by of the company, should be in the company policy others like strong passwords, strong keys, physical security, use of advanced security and regular wireless hardware inventories. It prevents the data loss and theft and emphasis strong security.
9. Physical Security is yet another security mechanism like wired media one should carefully monitored the network personally, periodically analyze the network through analyzer tools, and look around for any suspicious activities. Tight controls should be placed on users who have company's wireless client devices, such as not allowing them to take with them out of the company premises because WEP keys are stored on the NIC's firmware and if got by any hackers then that would be the weakest link for the organization as then hacker does not be necessarily in the company premises, he can operate through the distance. If card is stolen or lost then immediate actions should be taken. Periodic scan should be done to know such threats or vulnerabilities. So should be taken carefully.
XI. security recommendations
WEP: Do not solely rely on WEP, does not matter how much implementation are done with WEP only, because a wireless LAN protected with WEP is not secure. It's just preventing from casual eavesdropping only.
Cell Sizing: In order to reduce the chance of eavesdropping one should make sure that the cell sizing is appropriate. Hackers mostly look for the locations where little time and energy must be spent gaining access into the network. Also try to locate the access point to the centre of the organization or home for control methodology.
User Authentication: Authentication is the weakest link in wireless LAN as 802.11 standards does not specify any method of authentication, so a RADIUS server is a useful link for the authentication and reduces the chances of unauthorized access.
Additional Security tools: Technology like VPNs, Firewalls, Intrusion Detection Systems, 802.1 x and EAP and client authentication with RADIUS server make wireless solutions secure above and beyond 802.11 standards.
Monitoring Rogue Hardware: Time to time company should analyze about the rogue access point or such kind of hardware which results in later threats.
Switches not hub: Always connects access point to switch rather than hub, as hubs are broadcasting devices which sends every packet they receive to all others port but switches would not forward all, so reduce the scanning factors for hackers.
Wireless DMZ: Another idea to secure is to creating wireless demilitarized zone (WDMZ). Its uses routers and firewalls so cost a lot, the basic idea is that access point are unsecured and untrusted device so separate it from other network segment.
Firmware and Software updates: Regularly updates the firmware and drivers of access point and wireless cards, as updated versions resolves common issues.
Device Authorization: use device authorization like MAC filters to exclude unwanted wireless clients.
Change Password: Last but not least is to change password on regular basis and use strong types of password and also enable BIOS password.
Wireless LAN is an exciting technology that acts now solution for different organizations, public and residential implementations, but one should address the growing concern of the security threats and vulnerabilities, hackers penetration into the network, so preventing such breaches by implementing recommended setting and by follow the basic rules would help an organization to easily cope with such threats and keep smooth functionality on the work flow. To these deployments, several key challenges must be met. We overviewed the Wireless local area network (LAN) security being deployed. It includes an overview of wireless network methodology and general terminology needed to understand the issues. This is followed by a section discussing the various challenges associated with security aspect of Wireless LAN. Finally a set of solutions to these problems are discussed.